Active Directory: Comparing two AD Security Groups with PowerShell

There is a slight gottcha as explained here. You should diffine the property that you want to compare. Orginally I was only “selecting” one property into my variable that I thought would solve the problem. But no.

Comparing AD security group “DG-XenSSO-LIVE” with “DG-XenLive”

The wrong way:

The result was a lie. It told me that members where in both groups and missed other members.

The right way:

And a one liner (using the alias):

There are three “SideIndicators” returned:
== In both groups
=> In $GP2, but not in $GP1
<= In $GP1, but not in $GP2

If you don’t include the “-IncludeEqual” parameter, you won’t see ==.

Alias: diff

Reference: http://technet.microsoft.com/en-us/library/ee156812.aspx.
MS don’t mention -Property, but that may be because it is PS v 1.0
This is for PS v 4.0: http://technet.microsoft.com/en-us/library/hh849941.aspx

Works with PowerShell v 2.0 / Server 2008 R2.

One thought on “Active Directory: Comparing two AD Security Groups with PowerShell

  1. raja

    I am looking for some help, hope nobody will gala me for being ignorant. Not that long ago I became something of an AD admin. The organisation is big so the tasks vary. I can easily complete what I require via snap-ins in most cases. However, I have a task on my hands that exceed my “creativity”. I want to change security groups scope from Global to domain local and need to compare the users in other forest (Two way relationship) if users is exists, that users need to be added to this security group. My two problems are: -I am very new to scripting and getting increasingly frustrated that I can’t comprehend it
    and make my scripts work as I need them to -Deadline for this task and other responsibilities give me little
    time to read more on scripting basics and learn. As such I am in most cases forced to look for script snippets on the web and modify them a bit to meet my needs. This worked up until now, but now, the script I have on my hands is a bit too complex for me.
    Biggest problem I am facing so far, is creating a forest-wide search. My organization has Two forests with a two-way trust relationship.
    (Find all security groups in a branch of Active Directory. I.e. All groups in a given Organizational Unit and child OUs.
    Pseudo Code:
    For each security group…
    If the name is on a list of those that should not be converted then skip to next security group
    Determine what type it is
    If it is global then convert it to domain local

    Enumerate the members of the list

    For each member
    If the member is a user account then
    Determine the users sAMAccountName (short login name)
    Create a foreign security principal for the equivalent account in other forest domain
    Add the foreign security principal to the list
    End if
    Next member
    Next security group).

    Get-ADGroup -Filter {GroupCategory -eq “Security” -and GroupScope -eq “Global”} | Set-ADGroup -GroupScope Universal

    and

    Get-ADGroup -Filter {GroupCategory -eq “Security” -and GroupScope -eq “Universal”} | Set-ADGroup -GroupScope Domainlocal

Please feel free to leave a comment...